W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 18 Jul 2012 09:05:58 -0400
Message-ID: <1342616758.30417.43.camel@ds9>
To: grahame@healthintersections.com.au
Cc: Paul Hoffman <paul.hoffman@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> 
On Wed, 2012-07-18 at 11:00 +1000, Grahame Grieve wrote:
> > +1 to what seems to be a lot of developers: make TLS mandatory.
> >
> >>  so, even when used in an internal application protocol, it's going to
> >>  be end to end
> >>  encrypted to make it super hard to debug?
> >
> > In an internal application protocol, why would it be "super hard to
> > debug"? The client can do an HTTP dump before TLS, the server can do
> > an HTTP dump after TLS; either of the sides could debug the TLS.
> 
> yep. they can. But they have to. 3rd parties are shut out. I get that in
> some circumstances this is good. But not all. As an example, I spend
> quite a bit of my time looking at browser traffic now, to debug why
> my servers or clients aren't working they way that a 3rd party
> client/server set up is. Unless it's https, in which case.... I have to find
> some other way.
> 

this is just tooling.. and there are lots of good emerging answers to
this. For firefox and chrome you can use the directions in
https://developer.mozilla.org/en/NSS_Key_Log_Format to get a "keylog"
file you can give to wireshark so it can simply decode a TLS packet
capture. Its pretty sweet.

Other tools will come along.
Received on Wednesday, 18 July 2012 13:06:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 13:06:41 GMT